Académique Documents
Professionnel Documents
Culture Documents
COPYRIGHT
Copyright 2009 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE,
LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD,
PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE,
SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc.
and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other
registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
Refer to the product Release Notes.
Contents
Protecting against data loss from removable devices and file systems. . . . . . . . . . . . . . 4
Device control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Content protection rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Use case: Blocking wireless communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Use case: Making all USB removable storage read-only except authorized devices. . . . . . . . . . . . . . 10
Use case: Blocking files containing personal identity information. . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Use case: Blocking files created by a GIS application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Use case: Disabling all CD/DVD burners from writing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Device control
McAfee Host Data Loss Prevention software protects enterprises from the risk associated with
unauthorized transfer of data from within or outside the organization. Data loss is defined as
confidential or private information leaving the enterprise as a result of unauthorized
communication through channels such as applications, physical devices, or network protocols.
Memory sticks are the smallest, easiest, cheapest, and least-traceable method of downloading
large amounts of data, which is why they are often considered the "weapon of choice" for
unauthorized data transfer. McAfee Device Control allows monitoring and controlling external
device behavior based on the device attributes rather than the content being copied. Using
McAfee Device Control, devices attached to enterprise computers, such as smart phones,
removable storage devices, Bluetooth devices, MP3 players, or Plug and Play devices, can be
monitored, blocked, or configured to be read-only.
There are two types of device control rules available in McAfee Device Control:
Plug and Play device rules
Removable storage device rules
Plug and Play device rules
Plug and Play device rules work on the device driver level, and can be used to block and monitor
devices. Whenever a new device is plugged into the computer, McAfee Device Control will match
the new device attributes against the device attributes defined in the Plug and Play device rule.
If a match is found, McAfee Device Control will perform the action (block/monitor/notify user)
defined by the device rule. Plug and Play device rules are used to restrict the use of peripheral
devices such as Bluetooth adapters and modems. Although Plug and Play device rules can also
be applied to removable storage devices, McAfee does not recommend using them for such
devices.
Pros and cons of Plug and Play device rules
Pros:
Protecting against data loss from removable devices and file systems
Device control
Cons:
The device blocking is based only on the device attributes and does not inspect content.
Can only block or monitor. Cannot make a device read only.
Recommended use cases:
Block all Bluetooth adapters and modems
The enterprise wants to restrict end users from using Bluetooth and modem communication
to transfer data.
Block all Wireless communication
The enterprise wants to restrict end users from using wireless communication while connected
to the corporate network. See Use case: Blocking wireless communication.
Removable storage device rules
Removable storage device rules are used for blocking and monitoring removable storage devices
such as flash drives, MP3 players, and external hard drives. They can block, monitor, or configure
the removable storage to read-only. Whenever a new removable storage device is plugged into
the computer, McAfee Device Control will match the new device attributes against the device
attributes defined in the removable storage device rule. If a match is found McAfee Device
Control will perform the action defined by the device rule.
Removable storage device rules work on the file system level, and allow for more flexibility than
Plug and Play device rules. For example, the removable storage device rule can match a device
based on its file system type (NTFS, FAT32) or file system volume label. In addition, they provide
more accurate device names. For example an iPod is recognized by the Plug and Play mechanism
as USB mass storage device, whereas the removable storage rule recognizes it as Apple iPod,
which is more meaningful. (This description fits older iPods. The iPod Touch is recognized as a
Windows Image Acquisition device.)
McAfee recommends using removable storage device rules, rather than Plug and Play device
rules, to control all devices that provide removable storage, such as USB mass storage devices,
Flash Drives ("Disk on Key"), and CD\DVD.
NOTE: Since Plug and Play device rules are applied on the device driver level, they are applied
before removable storage device rules. The implication is that if a removable storage device is
blocked by both types of rule, the removable storage device rule will not be applied.
Pros and cons of removable storage device rules
Pros:
Allow read-only mode for removable storage devices.
Allow for greater flexibility for device matching (file system type, volume label).
Cons:
The device blocking is based only on the device attributes and does not inspect content.
Recommended use cases:
Make all USB removable storage read-only except authorized devices.
An enterprise has purchased a specific brand of encrypted flash drive and would like to
restrict the use of any other flash drive. See Use case: Making all USB removable storage
read-only except authorized devices.
Protecting against data loss from removable devices and file systems
Content protection rules
Pros:
Allow blocking individual files according to their content and attributes, rather than block
the entire device.
Cons:
McAfee Host Data Loss Prevention software uses CPU resources to analyze every file copied
to removable media.
Protecting against data loss from removable devices and file systems
Content protection rules
Protecting against data loss from removable devices and file systems
Examples
Examples
The following examples demonstrate the techniques discussed in the text.
Examples
Use case: Blocking wireless communication
Use case: Making all USB removable storage read-only except authorized devices
Use case: Blocking files containing personal identity information
Use case: Blocking files created by a GIS application
Use case: Disabling all CD/DVD burners from writing
Right-click in the device definitions panel, and click Add New | Plug and Play Device
Definition. Type Wireless Network Adapters to rename, and press Enter.
Double-click the device definition to edit it. Select Device Class, then select Network
Adapters and click OK.
Select Device Name. The definition parameter edit dialog box appears.
Click Add New and type wireless into the text box. Select the Allow Partial Match option.
Click Add New and type wlan into the text box. Select the Allow Partial Match option.
Protecting against data loss from removable devices and file systems
Examples
Click Add New and type 802.11 into the text box. Select the Allow Partial Match option.
Click OK twice to complete the definition.
Right-click in the device definitions panel, and click Add New | Plug and Play Device
Rule. Type Block wireless network adapters when online to rename, and press Enter.
10 Double-click to edit the rule. Select Wireless Network Adapters in the Include column.
Click Next.
11 Select Block, Monitor, and Notify User.
Protecting against data loss from removable devices and file systems
Examples
10
Right-click in the device definitions panel, and click Add New | Removable Storage
Device Definition. Type USB Removable Storage to rename, and press Enter.
Double-click the device definition to edit it. Select Bus Type, select USB and click OK.
Right-click in the device definitions panel again, and click Add New | Removable Storage
Device Definition. Type McAfee Encrypted USB Devices to rename, and press Enter.
Double-click the device definition to edit it. Select Bus Type, select USB Vendor
ID/Product ID and click Add New. The definition paramete edit dialog box appears.
Product ID
Description
1A4B
022A
1A4B
3220
1A4B
3200
Protecting against data loss from removable devices and file systems
Examples
Vendor ID
Product ID
Description
1A4B
3500
1A4B
3400
TIP: Use the mouse to select the Product ID and Description text boxes.
7
Right-click in the device definitions panel, and click Add New | Removable Storage
Device Rule. Type Block all USB except McAfee to rename, and press Enter.
Double-click to edit the rule. Select USB Removable Storage in the Include column,
and select McAfee Encrypted USB Devices in the Exclude column. Click Next.
In the Navigation Bar under Rules, select Tagging Rules. Right-click in the tagging rules
panel, click Add New | Content Based Tagging Rule, and type SSN Tagging Rule to
rename the rule.
11
Protecting against data loss from removable devices and file systems
Examples
12
Double-click the rule to edit it. From the pre-defined list of secured text patterns, check
Social Security Number. Click Next.
Protecting against data loss from removable devices and file systems
Examples
On the tags page, click Add New, type SSN Tag in the Name text box, click OK, then
Finish.
In the Navigation Bar under Rules, select Reaction Rules. Right-click in the panel, click
Add New | Removable Storage Protection Rule, and rename it Block PII copied to
removable storage.
Double-click the rule to open the wizard. You can skip all of the steps except the following:
a On the tags page, select the SSN tag created in step 4.
b On the actions page, select Block, Monitor, Notify User, and Store Evidence.
Right-click in the application list panel, and click Add. Browse to the GIS application
executable, then click Open. Note the exact executable name. You will need it in the next
step. Click Add, then Close.
In the Navigation Bar under Applications, select Application Groups. Right-click in the
panel, and click Add New | Application Group. Type GIS Applications in the Name text
box and press Enter.
13
Protecting against data loss from removable devices and file systems
Examples
Double-click the GIS Applications group. Browse to the name of the vendor and select
it. Click the plus sign next to the name to view the details. If there are other products by
the same vendor you don't want to include in the rule, deselect them.
In the Navigation Bar under Rules, select Tagging Rules. Right-click in the tagging rules
panel, click Add New | Application Based Tagging Rule, and type GIS Tagging Rule to
rename the rule.
(Optional) Click Select from list, select Graphic files, then click Next three times to
reach the Tags page.
Click Add New, name the tag GIS Tag, click OK, then Finish.
In the Navigation Bar under Rules, select Reaction Rules. Right-click in the panel, click
Add New | Removable Storage Protection Rule, and rename it Block GIS files copied
to removable storage.
10 Double-click the rule to open the wizard. You can skip all of the steps except the following:
a On the tags page, select the GIS Tag created in step 6.
b On the actions page, select Block, Monitor, Notify User, and Store Evidence.
14
Protecting against data loss from removable devices and file systems
Examples
Alcohol 120%
Iomega Hotburn
Example
1
Right-click in the device definitions panel, and click Add New | Removable Storage
Device Definition. Type CD/DVD Devices to rename, and press Enter.
Double-click the device definition to edit it. Select CD/DVD Drives and click OK to close
the definition dialog.
Right-click in the device definitions panel, and click Add New | Removable Storage
Device Rule. Type Block all CD-R burning to rename, and press Enter.
Double-click to edit the rule. Select CD/DVD Devices in the Include column. Click Next.
15